NIS2: Strengthening cybersecurity through risk-based thinking
The European NIS2 Directive, which will be incorporated into the Dutch Cybersecurity Act, introduces new, stricter requirements for cybersecurity and information security. Organizations in key and important sectors become responsible not only for their own digital security, but also for cyber risks throughout their supply chain.
May 26, 2025
Starting in the fall of 2025, the new rules will be in effect, but exactly what they look like has not yet been fully crystallized. Belgium, for example, uses the CyberFundamentals (CyFun) framework, while Dutch companies must use internationally recognized standards to comply.
Practice and perspective
Robert van Vianen, partner at BDO Digital, talked about this with Jasper Nagtegaal, director of Digital Resilience at regulator RDI, and Mark Butterhoff, CISO at IMCD, during a recent webinar. The trio discussed how organizations can operate in a secure and compliant environment.
Charting rules
"The broad formulation of NIS2 causes many organizations to struggle with questions such as: How do you map the rules? How do you manage implementation and compliance? And how do you make this demonstrable?" said Van Vianen. An example from the healthcare sector shows how BDO systematically maps laws and regulations and identifies similarities. "From this we distill basic rules that run as a common thread through the regulations. This forms the basis for assurance statements, such as an ISO 27001 certification."
Certification as a foundation
International certifications such as ISO 27001 demonstrate that an organization deals with cybersecurity in a structured and systematic manner. This not only facilitates compliance, but also provides confidence to regulators.
IMCD, an international chemicals and food wholesaler, is a good example. The company is pursuing ISO 27001 certification and has standardized its security frameworks with the concept of "
test once, comply many". This helps them manage regulatory complexity and make their processes more efficient.
From compliance to resilience
According to regulator Nagtegaal, however, certification is only the first step. It is important that organizations look beyond compliance and approach cybersecurity from a risk management perspective. Directors must not only understand what threats exist, but also understand the strategic role of digital assets within their organization. At IMCD, cybersecurity now has a permanent place on the board's agenda, overseeing compliance and risk.
A continuous change program
Cybersecurity is not just a technical issue, but an organization-wide transition. Directors bear the responsibility for ensuring compliance and making sure employees understand and follow the rules. "It's a continuous change program," Van Vianen stressed. With the introduction of NIS2, cybersecurity is higher on the agenda than ever. It represents not only a legal obligation, but also an opportunity for organizations to become more resilient and future-proof.
